James R. Mirick sets the record straight on things he cares about

Keeping Yourself Safe on the Internet — the New Rules

This is part three of a series on the new threat landscape of the Internet, and how you as an average, non-technical user, can navigate it safely. Part 1 discusses why ordinary people often don’t take even basic precautions: they feel the cost-benefit balance not worth it to them personally, and mainly they’re right. Part 2 defines overall Internet-based security threats. Now in this post we’ll deal with an effective, and minimally-invasive, strategy for keeping safe — four simple rules. OK, if you’re a security geek, you will think these are woefully inadequate, but I believe that if the average person will follow them, their security effort-expenditure will be acceptable and they will be protected from the the most significant exposures. To the security geeks among us, average people aren’t following the rules and guidelines we’ve been publishing anyway, so if they follow just these, they’ll be much better off.

Preparing To Face the Internet

First, I strongly suggest that you take your machine to someone who will do a “full system backup” for you. This is not your data files, just the computer’s programs and settings. If you get a serious malware infection, the only way to get rid of it is to wipe the disk and restore the system, and this will make that faster and easier and get you back in business. Find a good local help-person or go to Geek Squad or someone like them.

Then, take a few minutes to develop a couple of passwords for yourself, for which I have a few hints below under Password Strategy.

Finally, turn on the Windows firewall and Windows Defender if you have a recent machine, or get a techno-friend to install a good firewall and basic anti-virus program. They’re not perfect, but they help a lot. There are free ones for Windows, including Comodo, AVG, Avast, and others. You don’t need a massive, full-featured “Grand Internet Security” system, take it from me. You don’t need much, but you do need something. If you have trouble doing this, go into the store or get a consultant. The hour or so you will pay them will be, in the long run, very much worth it.

Now, Here Are the Rules!

Versions of these same “average-person” rules have also been promulgated by Leo Laporte, Steve Gibson, and others, they’re not unique with me. But I say, follow these and be safe(er)!

Set Windows Update or the Mac Software Update to run automatically. This is by far the most powerful weapon you have, and it’s free, and self-running. Yet large numbers of people for reasons I can’t imagine don’t do it. This, by itself, will protect you from more trouble than you will believe.

Never click on a link in an email. Never. Better to highlight the URL (the HTTP:// . . . thing) with your mouse without clicking it, and copy / paste it into your browser’s address bar. The problem here is that the actual link destination is hidden under what is visible (which is a label, even if it looks like a URL), so even if the visible link looks OK, the real destination might not be.

Don’t open email attachments. These are also sources of malware infections, one of the chief ones. This is especially true of presumably funny ones forwarded all around, the ones that end in .wmv (Windows Media Player files). Tell your Aunt Doris to have her pre-teen daughter post it to YouTube or Flickr or whatever, if she thinks it’s so great. but don’t open it from the email. When you put something on YouTube, for example, it’s filtered and anti-virused and you’re safe looking at it there.

Stay away from questionable websites. This includes almost anything “free” — porn (even soft porn), free music, free software, and the like. These sites are laden with viruses and trojans — that’s why their music is free, because they’re being paid by somebody to load malware on your machine!

A New, Simpler, Password Strategy

In the past, I’ve repeatedly produced careful recommendations on constructing strong passwords, great long strings of gibberish that can withstand a brute-force attack for on average several years. However (see Part 1) these recommendations have been almost universally ignored because the time and effort to implement / forget / recover / look them up and so on actually exceeds the expected average loss to the average user. So, ever congruent with reality, I’ve revised my suggestions to make them much simpler and more in alignment with the effort people are actually willing to put in.

Now, you only need two or three passwords, and they can be something you can remember. But please, not “password” or “letmein” or “asdflkjh” or something like that. If you’re in Minnesota, it should not be “vikings.” I mean, don’t just give away the keys. Choose something meaningful to you, yes even English words (a common recommendation is “nothing in a dictionary”), your dog, or whatever. But not “111111”

You need just two, and maybe three passwords:

One for almost everything that makes you register: every newspaper, weather site, and all the other things that think they need to recognize you personally when you return. Use the same username (if you can) and a nice, comfortable password. To the extent that these are really trivial sites, respond “yes” when the browser asks you, “shall I remember you next time?”

Financial sites believe strongly in “trial by ordeal” for you to get in, and of course it’s in their best interest to strongly authenticate you as it reduces their fraud costs. So they will probably have more or less elaborate rules, like mixed-case, letters-and-numbers, X characters long, and all that. My suggestion is to select one that meets their minimum standards, write it down, and put it in your wallet (without the bank name or userid on it, of course). That’s all you need. Note that these sites are now all aflame with the concept of multiple questions, “secret pictures” and other hassle-laden rubbish. Do what they demand, of course, but I can tell you that these things really don’t work and they’re just a huge hassle for you.

Optionally, you might want to have a different password for your email accounts, different from the throwaway one, this is up to you. I do, but I’m a little more freaky about this than maybe you are. The actual incremental safety from this is fairly small, but I do it anyway.

So that’s it — four rules, two or three passwords, and you will have made yourself fairly safe at a very minimal cost / effort. So if you do nothing else, do these!